A researcher has devised a method attackers with control over a victim's computer can use to clone the secret software token that RSA's SecurID uses to generate one-time passwords.

The technique, described on Thursday by a senior security analyst at a firm called SensePost, has important implications for the safekeeping of the tokens. An estimated 40 million people use these to access confidential data belonging to government agencies, military contractors, and corporations. Scrutiny of the widely used two-factor authentication system has grown since last year, when RSA revealed that intruders on its networks stole sensitive SecurID information (http://arstechnica.com/security/2011/03/rsa-says-hack-wont-allow-direct-attack-on-secureid-tokens/) that could be used to reduce its security. Defense contractor Lockheed Martin later confirmed that a separate attack on its systems was aided by the theft of the RSA data (http://www.theregister.co.uk/2011/06/06/lockheed_martin_securid_hack/).

Last week's blog post (http://www.sensepost.com/blog/7045.html) by SensePost's Behrang Fouladi demonstrated another way determined attackers could in certain cases circumvent protections built into SecurID. By reverse engineering software used to manage the cryptographic software tokens on computers running Microsoft's Windows operating system, he found that the secret "seed" was easy for people with control over the machines to deduce and copy. He provided step-by-step instructions for others to follow in order to demonstrate how easy it is to create clones that mimic verbatim the output of a targeted SecurID token.